Online Index ("the Service", "we", "us") is a personal knowledge management application that lets a signed-in user save notes, photos, links, and Bible references in their own private hub.
What we collect
- Account info: email, username, display name, and (optionally) first and last name. Provided by you at sign-up or via Google sign-in.
- Authentication: a salted PBKDF2 hash of your password (we never store your password in plain text), or your Google account identifier when you sign in with Google.
- Your content: the notes, photos, links, tags, and other items you add to your hub. Stored in our database and (for files) in Cloudflare R2 object storage.
- AI-derived metadata: for photos and links you upload, we run Cloudflare Workers AI to extract text, generate a description, and pick topic tags. This data is indexed for search but you control whether to display it.
- Session cookies: a signed HttpOnly cookie used to keep you signed in. No third-party tracking cookies.
How we use it
- To run the service: storing your hub, serving your photos, indexing your content for full-text search.
- To authenticate you on return visits.
- To resolve password resets if you request one (via email).
We do not sell, rent, or share your data with advertisers. We do not run analytics or behavioral tracking.
Where it lives
All data is stored on Cloudflare infrastructure: D1 (database), R2 (object storage), Workers (application runtime). Subprocessor: Cloudflare Inc. See Cloudflare's DPA for their data-handling practices.
Google sign-in
When you choose "Continue with Google", we receive your Google account email, name, and Google subject identifier — nothing else. We use these solely to create or match your account on Online Index. We never access your Gmail, Drive, Calendar, or any other Google service.
AI processing
Photos you upload are sent to Cloudflare Workers AI (specifically Meta's Llama 3.2 Vision and Llama 3.3 models, running on Cloudflare's infrastructure) to extract text and generate descriptions/tags. Cloudflare's Workers AI does not retain inputs or outputs for training.
Your rights
- You can delete any entry from your hub at any time. Deletion removes both the database row and the underlying file from object storage.
- You can sign out, which clears your session.
- To delete your entire account and all associated data, email us at the address below and we will action it within 30 days.
Security
All traffic is HTTPS. Passwords are PBKDF2-hashed with per-user salts. Sessions are HMAC-signed. Security reports: see /.well-known/security.txt.
Contact
kevin.mitchell@mainst-group.com